Physical Security Plan (PSP)
The Physical Security Plan (PSP) was created with the intent to minimize risk to an organization’s systems and data by addressing applicable physical security and environmental concerns and establishing processes that will help ensure physical security and environmental risks are minimized or avoided. Although this is a physical security plan tailored towards cybersecurity, it can be taken and modified by other departments to create more of a "global" physical security plan that spans the entire organization.
What Is Included With The PSP?
The PSP is a one-time purchase that comes with a combination of editable Microsoft Word & Excel templates. There is no software to install. Upon purchase, you get the following material as part of the PSP:
- Organization-level cybersecurity Risk Management Program (RMP);
- A Microsoft Word document template that contains:
- A physical security policy;
- A facilities listing;
- A physical security points of contact (POC) list;
- An applicable natural & man-made threats list;
- A physical access control (PAC) measure list;
- And more; and
- A Microsoft Excel document template containing a physical security device inventory that includes:
- Physical security cameras;
- Physical access devices; and
- Security alarm devices.
How Much Customization Is Remaining?
Given the difficult nature of writing templated policy and standards, we aimed for approximately a "80% solution" since it is impossible to write a 100% complete cookie cutter document that can be equally applied across multiple organizations. This means ComplianceForge did the heavy lifting for you, and all you have to do is fine-tune the policies and standards with the specific information that only you know to make it applicable to your organization. It is pretty much filling in the blanks and following the helpful guidance that we provide to identify the who / what / when / where / why / how to make it complete.
Defining The Requirement For On-Site Assessments
One of the greatest issues of “the path to hell is paved with good intentions” within Cybersecurity Maturity Model Certification (CMMC) and CMMC Third-Party Assessment Organizations (C3PAO) is reading into requirements, specifically around Section P.11 of the CMMC Assessment Process (CAP).
Section P.11 can be found on page 10 of the CAP and it states “Another consideration of framing the assessment involves determining assessment location(s), including what security requirement objectives of the assessment might be assessed virtually or in-person on the OSC premises. The Lead CCA and/or the C3PAO should consider the optimal logistical approach for implementation validation of the following 18 CMMC security requirement objectives to ensure adequate assessment scope and depth:
- L2-3.4.5[d]: Physical access restrictions associated with changes to the system are enforced.
- L2-3.7.2[d]: Personnel used to conduct system maintenance are controlled.
- L2-3.8.1[c]: Paper media containing CUI is securely stored.
- L2-3.8.1[d]: Digital media containing CUI is securely stored.
- L2-3.8.4[a]: Media containing CUI is marked with applicable CUI markings.
- L2-3.8.4[b]: Media containing CUI is marked with distribution limitations.
- L1-3.10.1[b]: Physical access to organization systems is limited to authorized individuals.
- L1-3-10.1[c]: Physical access to equipment is limited to authorized individuals.
- L1-3-10.1[d]: Physical access to operating environments is limited to authorized individuals.
- L2-3.10.2[a]: The physical facility where organizational systems reside is protected.
- L2-3.10.2[b]: The support infrastructure for organizational systems is protected.
- L2-3.10.2[c]: The physical facility where organizational systems reside is monitored.
- L2-3.10.2[d]: The support infrastructure for organizational systems is monitored.
- L1-3.10.3[a]: Visitors are escorted.
- L1-3.10.3[b]: Visitor activity is monitored.
- L1-3.10.5[b]: Physical access devices are controlled.
- L1-3.10.5[c]: Physical access devices are managed.
- L2-3.13.12[b]: Collaborative computing devices provide indication to users of devices in use.
NOTE: For OSC CMMC-scoped environments that DO NOT have physical and/or environmental controls due to a cloud environment or other factors that negate conducting an “on-site” portion of the assessment, the applicability of these requirements should be addressed between the OSC and the C3PAO in Phase 1.”
No Software To Install
The PSP is editable documentation, so there is no software to install. If you can use Microsoft Word and Excel, then you can edit the PSP for your organization’s specific needs. The PSP can save your organization considerable hours in labor-related expenses by leveraging a professionally-written solution for your documentation needs. Not only is this professionally-written, it has also been reviewed by law enforcement with experience in physical security & force protection and by certified assessors. This document has been designed to be efficient in implementing or improving an organization’s physical security capabilities and for being utilized within assessments.
Cost Savings Estimate
The PSP is approximately 10% of the cost for a consultant or 20% of the cost of your internal staff to generate equivalent documentation. For your internal staff to generate comparable documentation, it would take them an estimated 40 internal staff work hours, which equates to a cost of approximately $4,000 in staff-related expenses. This is about 1 to 2 weeks of development time where your staff would be diverted from other work. If you hire a consultant to generate this documentation, it would take them an estimated 25 consultant work hours, which equates to a cost of approximately $8,125. This is about 3 - 5 days of development time for a contractor to provide you with the deliverable.
Optional Professional Services (Add On)
ComplianceForge offers optional professional services to customize purchased documentation. Professional services are not required to customize ComplianceForge documentation. However, some clients want our subject matter expertise to help customize their documentation to meet their specific business needs. If you have any questions about our professional services, please contact us at: www.complianceforge.com/contact-us/.
We offer our professional services in bundles of: five (5), ten (10) & twenty (20) hours.
Purchased professional service hours will expire after 120 days (4 months) from the time of purchase before they expire.